caddytls: Support ACME alt cert chain preferences

This commit is contained in:
Matthew Holt 2020-11-12 15:02:35 -07:00
parent 3db60e6cba
commit 95af4262a8
3 changed files with 9 additions and 3 deletions

2
go.mod
View file

@ -6,7 +6,7 @@ require (
github.com/Masterminds/sprig/v3 v3.1.0 github.com/Masterminds/sprig/v3 v3.1.0
github.com/alecthomas/chroma v0.8.0 github.com/alecthomas/chroma v0.8.0
github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a
github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
github.com/go-chi/chi v4.1.2+incompatible github.com/go-chi/chi v4.1.2+incompatible
github.com/google/cel-go v0.5.1 github.com/google/cel-go v0.5.1

4
go.sum
View file

@ -85,8 +85,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c h1:IvUz1LXmHL2y3UVGbzmnvz5/2CA1rvurJA/AL4reKKI= github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021 h1:VY4JahIicW/GT84KoIm+TSKwMHj08NyPJhsGypTWJn4=
github.com/caddyserver/certmagic v0.12.1-0.20201021150819-90d1550af48c/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U= github.com/caddyserver/certmagic v0.12.1-0.20201112220015-12df2be5a021/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U=
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=

View file

@ -74,6 +74,11 @@ type ACMEIssuer struct {
// is internal or for development/testing purposes. // is internal or for development/testing purposes.
TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
// List of preferred certificate chains, by issuer's CommonName. If empty,
// or if no matching chain is found, the first chain offered by the server
// will be used.
PreferredChains []string `json:"preferred_chains,omitempty"`
rootPool *x509.CertPool rootPool *x509.CertPool
template certmagic.ACMEManager template certmagic.ACMEManager
magic *certmagic.Config magic *certmagic.Config
@ -149,6 +154,7 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
CertObtainTimeout: time.Duration(iss.ACMETimeout), CertObtainTimeout: time.Duration(iss.ACMETimeout),
TrustedRoots: iss.rootPool, TrustedRoots: iss.rootPool,
ExternalAccount: iss.ExternalAccount, ExternalAccount: iss.ExternalAccount,
PreferredChains: iss.PreferredChains,
Logger: iss.logger, Logger: iss.logger,
} }